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GENERAL SERVICES ADMINISTRATION 
WASHINGTON, D. C, 20405 


October 9, 1975 


FEDERAL PROPERTY MANAGEMENT REGULATIONS 
TEMPORARY REGULATION E-43 


TO s Heads of Federal agencies 
SUBJECT: Protection of privacy and data security 


Purpose. This temporary regulation sets forth rules 
and procedures relevant to protection of privacy and data 
security in accordance with the Privacy Act of 1974. 


2. Effective date. This regulation is effective September 27, 
1975. 


3. Expiration date. This regulation expires March 31, 1976. 


Background. The Privacy Act of 1974 sets forth certain 
safeguards for an individual against an invasion of personal 
privacy by requiring Federal agencies to abide by the provi- 
sions of the act. This regulation informs the agencies of 
GSA's privacy safeguards concerning ADP and telecommunications. 


5. General. This regulation sets forth rules and procedures 
to be followed by agencies in making use of, or providing, | 
interagency ADP services. This regulation applies to inter- 
agency, intra-agency, and commercial ADP service arrangements. 


This regulation also sets forth the procedures to be followed 


© 


by agencies in preparing solicitation documents for procuring 
ADP equipment, software, and services and telecommunications 
facilities and services. 


6. Applicability. The provisions of this regulation apply 
to alt Federal agencies. - 


7. Definitions. For the purpose of this temporary regulation 
the following terms shall have the meaning set forth below: 


a. The term "agency" means agency as defined in the 
Privacy Act of 1974. 


b. The term "individual" means a citizen of the United 
States or an alien lawfully admitted for permanent residence. 


9 9 oe 


Approved For Release 2003/08/20 : CIA-RDP84-00933R000300240005-0 


(emer ern RRR et A A RRS ME ROR A CS a ke RO mM Oe EE So ne agement ces IRE R  cetggmprteste ns ome ue 


apres tia tale 


gt 
a: 3 
“ 


- Approved Fox$elease 2003/08/20 : CIA-RDP84-0093Q3000300240005-0 


FPMR Temp. Reg. E-43 . October 9, 1975 


c. The term "maintain" includes maintain, collect, 
use, or disseminate. 


d. The term "record" means any item, collection, or 
grouping of information about an individual that is maintained 
by an agency, including, but not limited to, his education, 
financial transactions, medical history, and criminal or 
employment history and that contains his name or the 
identifying number, symbol, or other identifying particular 
assigned to the individual, such as a finger or proice print) 
or a photograph. . jew owt wd 


e. The term "system of records" means a group of any 
records under the control of any agency from which information 


is retrieved by the name_of—the indivi duet or by some identifying 
svmbol, or other identifying particular assigned to 


umber, Sy . 
the individual. 


f. The term "threats and hazards" means man-made or 
natural events, the occurrence of which may result in the 
loss, alteration, or unauthorized access to data. 


g. The term "safeguards" means those procedures, methods, 
and devices which have as their specific function the prevention 
or mitigation of the effects of threats and hazards. 


h. The term "rules of conduct” means those administrative 
procedures, methods of work, and standards of conduct which 
together define the manner in which persons involved in the 
design, development, operation, or maintenance of systems of 


records will maintain, collect, use, or disseminate such records. 


i. The term "Government contractor" means any individual 
or other entity who contracts to operate by or on behalf of 
an agency a system of records to accomplish an agency function. 


8. Security and privacy requirements. 


a. The Privacy Act of 1974, 5 U.S.C. 552a, requires that 
each agency that_maintains a system of records shall: 


RAG dN 


Rt 


(1) Maintain in its records only such information about 
an individual as is relevant and necessary to accomplish a 
purpose of the agency required to be accomplished by statute or 
by Executive order of the President (5 U.S.C. 552a(e)(10)). Thus, 


protection of privacy is promoted by limiting the amount of 
information maintained. 
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() (2) Establish rules of conduct for persons involved in the 
ws design, development, operation, or maintenance of any system of 


records or in maintaining any record, and instruct each such 
person with respect to such rules and the requirements of this 
action, including rules and procedures adopted pursuant to this 
section and the penalties for noncompliance (5 U.S.C. 552a(e) (9)). 


(3) ‘Establish appropriate administrative, technical, 


and physical safeguards to ensure the security and confi- 


dentiality of records and to protect against any anticipated 
threats or hazards to their security or integrity which could 
result in substantial harm, embarrassment, inconvenience, Or 
unfairness to any individual on whom information is maintained 
(5 U.S.C. 552a(e)(10)). It should be noted that the development 
of appropriate safeguards will necessarily be tailored to the 


requirements of the system of records being maintained. In 


addition, the need to provide safeguards may be influenced by 


other considerations such as ensuring continuity of agency 


operations, protecting proprietary data, protecting national 


security information, and ensuring accuracy and reliability 
of information. 


b. Agencies contemplating acquisition of ADP or telecommu- 


nications equipment or services must determine whether such 


acquisitions will involve maintaining a system of records defined 
. by the act. If so, the requirements cited in paragraph 8a, 


must be met, and the rules and procedures set forth in this 
porary regulation must be adhered to. 


c. Definition of responsibilities for implementing the 
ad ain the Office of Management and busi (OMB) 
& ck ge ros . Gu 


gq. <2 Rane) . wih 8 v ‘ar waneehtnennalnaiaientes ' 
“Guidelines dated July 1, 1975. .The OMB guidelines are found 


note 


Special considerations and 


9. Interagency ADP’ services. 


above, 


¥ 


x 


tem- 


responsibilities apply in those instances in which one agency 


(the user agency) obtains ADP services from another (the 
provider agency) in the course of maintaining or operating 
systems of records. Specifically, these instances include 
the ADP Sharing Program (41 CFR 101-32.203) and the Federal 
Data Processing Centers (FDPC) (41 CFR 101-32.8). 


C 
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10. User agency responsibilities. A user agency shall: 


a. Determine its data confidentiality and security 
requirements before storing or processing systems of’ records 
at a provider agency's facility; 


b. Include in its screening of ADP resources an exami- 
nation of the ability of each resource to meet its data confi- 
dentiality and security requirements (Specifically, the adequacy 
of available technical, administrative, and physical safeguards 
to counter anticipated threats and hazards must be evaluated.); 


c. Satisfy itself that the rules of conduct governing 
the activities of personnel of the provider agency are 
commensurate with its data confidentiality and security 
requirements; 


d. Obtain services from only those provider agencies 
that fully meet the user agency's data confidentiality and 
security requirements; 


e. Recognize that the records it stores or processes 
at the facility of a provider agency will be considered to 
be maintained by the user agency; and 


f. Establish written rules governing the disclosure by 
a provider agency of records considered to be maintained by 
the user agency. 


11. Provider agency responsibilities. A provider agency shall: 


a. As specified in 8a, above, develop rules of conduct 
for personnel involved in design, development, operation, or 
maintenance of equipment, systems, or services used to 
store or process systems of records; 


b. In accordance with 8a, above, undertake a continuing 
program of review of its operations to ensure that threats 
and hazards to data confidentiality and security are properly 
identified and that appropriate safeguards are implemented; 


c. Make available rules of conduct and information on 
safeguards to user agencies; 
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( r d. Refrain from disclosing any records stored or processed 
for a user agency except to that agency or under written rules 
established and provided by that user agency; and 


e. Make known to user agencies changes in its percep- 
tion of threats and hazards to data confidentiality and 
security or any changes in the safeguards implemented to 
protect against those threats and hazards. User agencies 
may use information on such changes to reevaluate its usage 
of the provider agency's services. 


12. Contractors' responsibilities. Subsequent to the effective 
date of the act, all persons, including contractors, who are 
involved in the design, development, operation, or maintenance 
of any system of records, or the maintenance of any record, 

are subject to the applicable provisions of the act, including 
the agency rules of conduct. In addition, pursuant to 5 U.S.C. 
552a(m), Government contractors, as defined in Section 7(i), 
above, and their employees are also subject to the criminal 
sanctions of 5 U.S.C. 552a(i). 


BG 13. Solicitation documents. 


7 


{ a. Agencies authorized to procure ADP equipment, software, 
: or services in accordance with 41 CFR 101-32 or to procure 
‘ telecommunications equipment or services in accordance with 

41 CFR 101-35 shall include in their solicitation documents: 


ro 


(1) Agency rules of conduct which a contractor and 
his employees shall be required to adhere to; 


(2) A list of the anticipated threats and hazards 
which are pertinent to the contemplated procurement and 
which the contractor must safeguard against; 


(3) A description of the safeguards which the agency 
specifically requires the contractor to provide; and 


(4) A notice that under 5 U.S.C. 552a(m) of the act 
Government contractors and any employees of such contractors 
are subject to the criminal penalties of 5 U.S.C. 552a(i). 


b. Agencies shall also: 


(1) Evaluate vendor proposals to determine the adequacy 
of the safeguards proposed in meeting the anticipated threats 
or hazards to the security and integrity of records; 


© 


Te mnie erneemasient er rene taper Avera 
. 


_. Approved For Release 2003/08/20 : CIA-RDP84-00933R000300240005-0 


fi 
i 
7 
i 
HN 
4. 
i 
} 
t 
i 


: “ . «+ Approved For Release 2003/88/20 : CIA-RDP84-00933R000300240005-0 


ww 
FPMR Temp. Reg. E- 43 October 9, 1975 
(2) Verify that any safeguards proposed by an offeror > 
before award of a contract are in use and effective before 


commencing work under the contract; 


(3) Identify in the specification and contract the test 
methods, procedures, and criteria to be used to verify that 
all safeguards have in fact been provided; 


(4) Verify that any safeguards provided as a result of 
work done under the contract are effective; and 


(5) Include in the system specifications and contract 
the requirements of the Government for a program of subsequent 
inspection that will be followed to ensure the continued efficacy 


and efficiency of safeguards and the discovery and countering of 
new threats and hazards. 


14. Agency comments. Comments concerning the effect or impact 
of this regulation on agency operations or programs should be 
submitted to the General Services Administration (CP), 
Washington, DC 20405, no later than October 31, 1975. 


ARTHUR F. SA 


Administrator af General Services 


GSA DC 76.3394 
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